New Regulation for the Data Protection Officer

By Pedro Córdova Balda, María Paula Arellano and Gabriela Holguín, Robalino

The Superintendency for the Protection of Personal Data published, through resolution No. SPDP-SPD-2025-0028-R, the Regulation for the Data Protection Officer, which aims to regulate their activities in the exercise of their duties to comply with the Organic Law on the Protection of Personal Data and its Regulation.

On the appointment:

Who can appoint a DPO?

The controller or processor, whether they are:

1. A natural person or their special attorney;

2. A private legal entity, through its legal representative or authorized attorney;

3. A public legal entity, through its highest authority.

What must the appointment include?

The appointment must include: date, organizational information, information of the legal representative and the DPO, applicable duties and principles, acceptance of the position, and documents supporting legal representation and existence.

Registration of the appointment with the SPDP

-If formalized with electronic signatures: it must be registered through the website within 15 days.

-If formalized with handwritten signatures: it must be submitted in person to the SPDP.

The General Directorate of Technological Innovation and Personal Data Security will have three months to develop and implement the application or system that will allow the digital registration of private sector DPO appointments.

DPO Registry

The SPDP will maintain a publicly accessible list of DPOs, which will include:

-Name and address of the controller/processor;

-Professional address and email of the DPO;

-Additional information for foreign controllers or processors.

Registration does not imply automatic validation of suitability, which may be verified at any time by the SPDP.

Additional requirements

In addition to meeting the requirements of the Regulation to the LOPDP, the DPO must complete and pass the mandatory Official Data Protection Officer Professional Program established by the SPDP.

Entities required to appoint a DPO:

The following must appoint a DPO, even if they are non-profit, if they regularly process personal data in sectors such as:

-Education (all levels);

-Health;

-Financial and insurance;

-Advertising, marketing, telecommunications;

-Private security and property management;

-Federations, unions, and public service concessionaires;

-Public sector entities.

What are the duties of a DPO?

-Advise on risk management and security measures;

-Supervise the attention to data subjects' rights;

-Oversee regulatory compliance and data processing records.

Prohibitions for a DPO:

-Directly perform tasks of the controller or processor;

-Make decisions about the purposes of processing;

-Represent the organization before the SPDP as a controller or processor;

-Simultaneously hold roles such as security officer, compliance officer, implementer, or any other role that could generate a conflict of interest.